This is some older work, from as old as 2006 or so. This isn’t something you’d want to use in a project today, but in 2006 – a year before Palo Alto Networks released their first firewall – we thought it was pretty exciting that we’d built a general purpose tool to identify protocols regardless of port number.

One of the first tasks that I took on as an undergraduate researcher in the Enterprise Security Group at the University of Tulsa (TU), this idea for a signature-based engine for protocol identification started as a side project by Collin McMillan. I took ownership after he left TU and rewrote the engine in Python. The result is a library called pysand appropriate in part for backing a passive network monitor capable of identifying protocols regardless of port number using deep packet inspection.

We demonstrated a version of the tool at the FAA’s Computer Security Incident Response Center to great success. I wrote about it in my first full-length peer-reviewed publication (PDF), and later, with Cody Pollet,  added a multi-touch interface for visualizing network streams; we presented this work in a talk at DEFCON 17 (link) and in the poster session at USENIX Security.


This work is based upon collaboration with:

  • Collin McMillan
  • Kevin Clark
  • Christopher Johnson
  • Dr. John Hale
  • Cody Pollet
  • Matt Young


Source code repository